Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
APRIL 18 + 19, 2011
Revisions to the PIV
Biometrics Specifications
DRAFT FIPS 201-2 WORKSHOP
APRIL 18 + 19, 2011
Image Group, Information Access Division
National Institute of Standards and Technology
US Department of Commerce
1
2
3
4
5
6
5. Accuracy specifications Preamble
Agenda
. Preamble
. Iris
. Match-on-Card
. Swipe sensors
. Accuracy specifications
. What’s in, out, and next steps
Part 1:
Preamble
http://biometrics.nist.gov/76.pdf
Draft 800-76-2 released April 17, 2010�
Posting to the SP register is imminent�http://csrc.nist.gov/publications/PubsSPs.html�
-
-
-
-
-
-
PIV :: Documents Hierarchy
FIPS 201
SP 800 73 Card
SP 800-76 Biometrics
SP 800 78 Crypto
SP 800 79 Issuer Accreditation
SP 800 85 Conformance
SP 800 104 Topography
SP 800 116 Physical Access Control Systems
HSPD-12
Policy Binding under
FISMA Technical Specifications
NIST SP 800-76 Lineage
Prior: “-0” on 2006-02-01 27 pages
Current: “-1” on 2007-01-25 33 pages
Draft: “-2” on 2011-04-17 61 pages Draft - Out for public comment
http://biometrics.nist.gov/76.pdf
http://csrc.nist.gov/publications/PubsSPs.html
1
2
3
4
5
6
. ccuracy spec ca ons Iris
. Preamble
. Iris
. Match-on-Card�
. Swipe sensors�
5. A ifi ti Accuracy specifications
. Next steps
Part 2:
Iris
or m n mum accuracy
Change #1 :: Iris for PIV :: Why/How
The problem
Fingerprints sometimes do
not work
Some people are difficult to
image (dry skin)
Permanent damage to Permanent damage to�fingers
Temporary damage to
fingers
Non-habituated users
Poor quality control during
enrolment (?)
One solution
Add iris to PIV
Iris image on the card
Iris image off the card (CMS)
Support with specifications
F i iFor minimum accuracy
requirements
For tests of algorithms
For tests of cameras
For interfaces to cameras
For interfaces to recognizers
Conformance tests
r s as a ac mo a ty Presence of iris equipment
Change #1 :: Iris for PIV :: Context
The PIV Context
Iris is required for
cardholders for whom
fingerprint authentication
during issuance fails
I i f llb k d li�Iris as fallback modality
The consequences
Requires purchase of�camera and ancillaries�
Capital cost
Variable costs(?)
Presence of iris equipment
extends a new option for
operational authentication
Attended
Unattended PACS + LACS
ype n ar w t
Change #1 :: Addition of iris :: Data format
Cropped and
masked image
Type 7
Standard defines interoperable images
ISO/IEC 19794-6:2011
T 7 O C d i h JPEG 2000 Type 7 On Card with JPEG 2000
Type 2 Off Card with PNG or RAW Parent image from camera
US Registry of Biometric Standards
recommends these.
Tested in IREX I
Type 1 or 2
Not storing / sending / requiring
templates http://iris.nist.gov/irex
Proprietary, non-interoperable,�laden with intellectual property,�sometimes larger than the image�itself�
Tagged biometric
Change #1 :: Iris for PIV :: Implementation
Following the arrangement of fingerprint minutia data on
current PIV cards… Two irises in one container.
container (SP 800-73)
2.65M cards issued 07/2009
CBEFF
Header =88 bytes
ISO Iris
Image Image
Header ≥107 bytes
ISO Iris
Image
Data
CBEFF
Signature
block
~2 * 3KB or
1 * 3-6 KB
~ 500 bytes
1
2
3
4
5
6
. ccuracy spec ca ons Match-on-Card
. Preamble�
. Iris�
. Match-on-Card
. Swipe sensors
5. A ifi ti Accuracy specifications
. Next steps
Part 3:
Match-on-Card
Change #2 :: Addition of MOC :: Background
MINEX II
Accuracy and speed of card-based algorithms
P. Grother, W. Salamon, C. Watson, M. Indovina, and P. Flanagan,
MINEX II Performance of Fingerprint Match-on-Card Algorithms Phase
II / III Report NIST Interagency Report 7477
Three editions, 2008, 2009 and 2011
Contact: [email protected]
sBMOC “Secure Biometric Match-on-Card”
Demonstration of secure protocols for biometric authentication.�
D. Cooper, H. Dang, P. Lee, W. MacGregor, and K. Mehta. Secure
Biometric Match-on-Card Feasibility Report. NIST Interagency Report
7452, November 2007.
Contact: [email protected]
Change #2 :: Addition of MOC :: Background
Reference
Template:
sent via PUT
DATA
Verification Template
sent via VERIFY
Verification Template
sent via VERIFY
Privacy Enhancing
Technology (PET):
The template cannot be The template cannot be
read from the card
No need for a central
database�
Cryptographically
hardened token
Change #2 :: Addition of MOC :: Why / When
The problem
PIN release of a biometric is
time consuming
PINs are sometimes
forgotten, and committed to
paper paper
well motivated: PIN protects
biometric from free-read
(e.g. after Card loss)�
The proposed solution
Allow on-card comparison
for authentication after PIN
for card activation no PIN,
prohibit release of current
card templates card templates
Change #2 :: Addition of MOC :: How
The PIV implementation
Four ISO/IEC 19794-2:2011
templates
Primary + secondary finger
with plain-impression sensor
AND swipe sensor AND swipe sensor
Use 7816-4, 7816-11
No extensions
Not standardized ones, and�
Not proprietary ones either�
The consequences
Cannot use the existing PIV
Cards directly.
Needs ISO/IEC 19794-2
“compact card” templates
Client-side issuance software Client-side issuance software
effects conversion.
MOC is agency-optional
Requires cards with on-board
matcher
Contact + contactless with
cryptographic protection
Secure Session�
1
2
3
4
5
6 . ccuracy spec ca ons Swipe Sensors
. Preamble�
. Iris�
. Match-on-Card�
. Swipe sensors
5. A ifi ti Accuracy specifications
. Next steps
Part 3:
Swipe Sensors
nswers: er ormance,
Change #3 :: Swipe Sensors :: Drivers
The problem
Fingerprint sensors exist on
many PCs today, why the
need to add “PIV-certified”
sensors?
A P fAnswers: Performance,
Interoperability
Plain-impression “area”
sensors are more expensive
A solution
Allow swipe sensors
Reduced cost
For authentication against
enrolled swipe data
With qualification criteria With qualification criteria
Restrict domain-of-use
Use with MOC only
Logical access only?
Not in attended operations
(issuance, re-issuance etc)
Not with mandatory PIV
templates
Specific request for comment w pe goes orwar as ra e
Change #3 :: Swipe Sensors :: Input Needed
Specific caveats
Little empirical data on which to
safely include swipe matching
into PIV. Swipe is attractive on
grounds of cost, and possibly on
grounds of spoof resistance.
Specific request for comment�swipe accuracy and viability
interoperability with optically-
derived templates
operating with standardized
minutia templates
operational experiences
liveness
Possible ways forward
All swipe-related specifications
may be withdrawn in the next
version of this draft.
Defer until quantitative evidence is
available
S i f d d ft�Swipe goes forward as drafted d�But no implementation passes the
mandated performance test.
. ccuracy
1. Preamble
2. Iris
3. Match-on-Card�
4. Swipe sensors�
5 A
Part 5:
Minimum Accuracy 5. Accuracy
specifications
n mum Accuracy
6. Next steps
Mi i
Specifications
w en or But FIPS 140-2 does!
Change #4 :: Minimum Accuracy :: Why
The problem
800-76-1 established
interoperability criteria for
fingerprint minutia
equipment
FRR ≤ 1% h FAR ≤ 1% f FRR ≤ 1% when FAR ≤ 1% for
ALL template generators and
matchers
BUT
FAR of 1% is non-operational
(but fit-for-purpose
nevertheless)
The backdrop
FIPS 201 does not establish
agency biometric security
requirements of biometric
match
But FIPS 140-2 does!
Motivation for six digit PIN in
PIV today
FIPS 140-3 is under
development
threshold
Change #4 :: Minimum Accuracy :: How
The specifications
Establish minimum security
requirements
By requiring false match
rates be less than X.
Agency optional on whether Agency optional on whether
FMR < X or FMR << X per
Agency requirements
Application requirements
For all modalities
Iris
On-card comparison
Off-card comparison
The mechanism
Algorithm tests exist within
PIV today
FMR objective is achieved
by setting a calibrated
threshold
Threshold calibration is a by-product of existing NIST tests�
Not specifying FRR
. ccuracy Next Steps
1. Preamble
2. Iris
3. Match-on-Card�
4. Swipe sensors�
55. AAccuracy
specifications
6. Next steps
Part 6:
Next Steps
_ .
SP 800-76-2
IS OPEN FOR COMMENT
EMAIL COMMENTS [email protected]�
BY JUNE 6, 2011�
THIS IS THE SAME DEADLINE AS THE FIPS 201-2�
Draft SP 800-76-2 :: In + Out
What’s in
Off-card fingerprint, mandatory
Iris, conditional mandatory
On-card fingerprint, optional
Face, optional on card, for human
adjudication adjudication
Swipe sensors
Minimum accuracy requirements
What’s not in
Is face available for biometric
authentication
No mentioned of UUID
No guidance on biometric update
(the ageing problem)
New biometric standards INCITS 378:2009 minutia templates
ISO/IEC 19794-2 for off-card minutiae
ISO/IEC 19794-5:2005 or 2011 face
Other modalities
Vein, Face (automated FR), Hand
Geometry, etc.